Rule

Flags

Red

... and its impact on you.

Red Flags Rule Expert

Bruce NelsonVice PresidentSearchAmerica, A part of Experianbruce.nelson@searchamerica.com

At the end of today’s presentation, the speaker will be available for a Q&A

session. Please send your questions to us using the WebEx question function.

Agenda

• Red Flags Rules Background

• Compliance Requirements for Healthcare

• Program Enforcement and Sample Policies

• Best Practices in a Risk Based Approach

• Risk Based Reconciliation of Address Discrepancies

• Q&A

Red Flags Rule Background

• On November 9, 2007, the FTC, FDIC, OCC, Board, OTS and NCUA issued its final rules and guidelines for implementing section 114 and section 315 of the of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act)

�Section 114 – Rule on duties regarding the detection, prevention, and mitigation of identity theft (i.e., Red Flags Rule)

�Section 315 – Rule on duties of users of consumer credit reports regarding address discrepancies

Final Rules: http://ftc.gov/opa/2007/10/redflag.shtm

What is the Red Flags Rule?

• Definition: ‘‘Red Flag’’ is a pattern, practice, or specific activity that indicates the possible risk of identity theft.

• Purpose: To detect and stop identity thieves using someone else’s identifying information at your institution to commit fraud.

Who Must Comply?

Rules apply to “creditors” with “covered accounts.”

– A creditor is any entity or any assignee of an original creditor that regularly extends, renews, or continues credit OR any entity that regularly arranges for the extension, renewal, or continuation of credit.

• Examples: Finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies

– A covered account is an account used mostly for personal, family, or household purposes involving multiple payments or transactions.

• Examples: Credit card accounts, mortgage and automobile loans, cell phone accounts, utility accounts, checking and savings accounts.

What about Hospitals?

• Most believe hospitals fall under the rule’s broad definition of “creditor” and have patient accounts that would fall within the broad scope of “covered accounts.”

• The definition of creditor drawn from the Equal Credit Opportunity Act (ECOA) includes anyone who defers payment for services rendered.

Healthcare Scenario

A patient comes to an HCP. The HCP collects information, including medical history, billing, and insurance info. The patient pays a co-pay, but is ultimately

responsible for payment for services. The HCP provides services, later the patient

receives a bill (due upon receipt) for amounts unpaid by insurance. The patient

never comes back to the HCP again.

What do I need to do?

• The Red Flags Rule and regulations require financial institutions and creditors to develop and implement a written identity theft prevention program

• The program must be approved in writing by the board of directors, an appropriate committee of the board, or a designated senior manager.

How much time do I have?

The original enforcement deadline of November 1, 2008 was suspended until November 1, 2009.

3 Days from Today!

Building Your Red Flags Policy

Your program must contain ‘‘reasonablepolicies and procedures’’ to:

– Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the Program

– Detect Red Flags that have been incorporated into the Program

– Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft

– Ensure the Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.

Identify Red Flags

Final ruling includes 26 examples (Supplement A)of Red Flags that fall into these 5 categories:

1. Alerts, notifications or other warnings received from consumer reporting agencies or service providers

2. Presentation of suspicious documents

3. Presentation of suspicious personal identifying information

4. Unusual use of, or other suspicious activity related to a covered accounts

5. Notice from customers, victims of identity theft, or law enforcement agencies

Example: Consumer Reporting Agency Warning

Warning from consumer reporting agencies:– Fraud Alert

– Credit Freeze

– Notice of address discrepancy

– Unusual pattern of activity such as:

• Significant increase in the volume of inquiries

• An unusual number of recently established credit relationships

• A material change in the use of credit

Example: Suspicious Documents

• Patient provides altered or forged documents

• Patient’s appearance does not match the photograph or physical description on their ID

• Information on the documents is not consistent with information provided by patient or information you already have on file

Example: Suspicious Personal Identifying Information

• Patient provided info is inconsistent when compared against external information sources– SSN or address does not match what is listed in the consumer

report– SSN has not been issued, or is listed on the SSA’s Death Master

File.

• Patient provided info is associated with known fraudulent activity as indicated by internal or third-party sources – The SSN, address or phone number on an application is the same

as provided on a fraudulent application or submitted by other persons

– The address on an application is fictitious, a mail drop, or a prison– The phone number is invalid, or is associated with a pager or

answering service.

Example: Unusual Use of Account

• Unusual account activity: – Nonpayment when there is no history of late or missed

payments – A material increase in the use of available credit – A material change in purchasing or spending patterns

• New credit accounts used in a manner commonly associated with fraud:– Majority of available credit is used for cash advances or

merchandise that is easily convertible to cash (e.g., electronics or jewelry)

– Customer fails to make the first payment or makes an initial payment but no subsequent payments.

• You are notified of unauthorized charges or transactions in connection with a customer’s covered account.

Example: Notice From Consumer

You are notified by a customer, a victim of identity theft, a law enforcement

authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

Detect Red Flags

Your program’s red flag detection proceduresmay include:

– Verify identity of new customers

– Authenticate existing customers

– Monitor transactions

– Verify validity of address changes

Respond to Red Flags

Appropriate responses may include:– Monitor accounts– Contact customer– Change passwords– Close and reopen account– Refuse to open account– Don’t collect on or sell account (against the true

consumer)– Notify law enforcement – No response is warranted

Red Flags Program Updates

You will need to update your program periodically based on factors such as:

– Your institution’s experiences with identity theft

– Changes in methods of identity theft

– Changes in methods to detect, prevent, and mitigate identity theft

– Changes in your patient population and types of accounts

– Business arrangement changes such as mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

Program Adaptability

The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of activities.

Non-Compliance Penalties

• Compliance is monitored by FTC and there are currently no criminal penalties for failing to comply with the Red Flags Rule.

• However, financial institutions or creditors that violate the Rule may be subject to civil monetary penalties.

– $3,500 per violation

Sample Policy

• See Red Flags Rule White Paper - Co-authored by Experian and Hudson Cook, LLP

• http://www.bulldogsolutions.net/ExperianDecisionAnalytics/knowledgebase/RedFlagRule_FullWhitePaper.pdf

Address Discrepancy Rule

• Section 315 of the Fact Act – Rule on duties of users of consumer credit reports regarding address discrepancy notices received from a nationwide consumer reporting agency (i.e., Credit Bureau)

• This rule only applies to financial institutions or creditors that use consumer reports (i.e., credit reports)

Address Discrepancy Rule Cont’d

• Requires CRA to send a notice of address discrepancy when it determines that the address provided ‘‘substantially differs’’ from the address the CRA has in the consumer’s file.

• Requires Creditor to put in place reasonable policies and procedures users of a consumer report should employ when the user receives a notice of address discrepancy.

Address Discrepancy Rule Cont’d

Requires users to develop and implement reasonable policies and procedures to furnish a confirmed address for the consumer to the NCRA when the user meets these criteria:

• Can form a reasonable belief that the report relates to the consumer

• Establishes a continuing relationship with the consumer

• Regularly, and in the ordinary course of business, furnishes information to the NCRA that provided the notice of address discrepancy.

Helpful Technology

SearchAmerica automatically flags significantaddress, SSN, and name discrepancies.

Helpful Technology

SearchAmerica automatically flags fraud alerts.

Helpful Technology

SearchAmerica offers Red Flags Rule reports and analytics.

FTC Contact Info

Naomi Lefkovitz

Federal Trade Commission

redflags@ftc.gov

(202) 326-3058

http://www.ftc.gov/redflagsrule

Red Flags Rule Experts

Bruce NelsonVice PresidentSearchAmerica, A part of Experianbruce.nelson@searchamerica.com

At the end of today’s presentation, the speaker will be available for a Q&A

session. Please send your questions to us using the WebEx question function.

Thanks for your time and attention.

Questions or comments?